By Josh Bressers, Anchore and Kate Stewart, Linux Foundation
SBOM Everywhere is a Special Interest Group (SIG) within the Security Tooling Working Group of the OpenSSF. In September we funded work on the SPDX Python library and are now happy to report the recent 0.7.0 release of the Python SPDX-Tools package, which is available to download on GitHub and PyPI. Read on for more details on SBOM Everywhere, SPDX-Tools, and what this means for the wider open source community.
The initial motivation for SBOM Everywhere came from OpenSSF’s Open Source Software Security Mobilization Plan, where one named priority was around improving SBOM tooling and training to drive adoption. SBOM, which stands for software bill of material information, is essentially a machine-readable list of software’s internal components. SBOMs are necessary to more easily identify vulnerabilities and understand software supply chains, so that everyone can keep their software systems more secure.
SPDX is an open standard that provides a common format for companies and communities to share important SBOM data. And Python SPDX-Tools is a Python library that can be used to parse, validate and create SPDX documents, used either as a library or a CLI tool, thus helping users with security, compliance, and understanding their dependencies. One of the first goals of the OpenSSF’s SBOM Everywhere effort was to fund development on tooling through the Python SPDX-Tools library.
The new release of Python SPDX-Tools provides support for SPDX V2.3 for json, yaml, xml and tag-value files. The Python SPDX-Tools team would like to encourage you to test the new release with all of your use cases! Please feel free to open an issue if a feature is missing or if you find a bug. Finally, in case you are migrating from the previous 0.6.1 version, the team has created a wiki page detailing the necessary changes.
How you can get involved
As more organizations adopt SBOM, we would love to establish a vibrant community around foundational tooling such as SPDX Python-Tools. As you use Python SPDX-Tools, let the team know any feedback about features, bugs, or improvements, or feel free to contribute code, test files, or documentation yourself. You may also have a look at the current state of the SPDX3 prototype of the library.
If you want to talk to the team directly, feel free to join our weekly sync meeting every Thursday at 4:30pm GMT (5pm GMT on every first Thursday of the month). Or write an email via the SPDX tech mailing list to arrange a discussion at a different time.
To get involved in discussions around SBOM tooling and adoption more broadly, get involved in the SBOM Everywhere SIG group by joining the biweekly Security Tooling WG meetings. We hope to see you and/or your organization help us further drive adoption of SBOM and take this effort to the next level!